16,500 Ivanti Gateways at Risk: Critical RCE Bug CVE-2024-21894 Exposes Enterprises

Get ready to patch, folks! 16,500 Ivanti gateways are playing “Welcome” mat for hackers, thanks to a heap of trouble named CVE-2024-21894. Don’t be the host of a cyber-crash party—update now! 🛡️💻🚨

Hot Take:

Well, it seems like the cyber equivalent of leaving your front door wide open and then being surprised when uninvited guests show up to your party. Ivanti’s little “oopsie” with a heap overflow vulnerability is like a neon sign for hackers, with thousands of gateways rolling out the red carpet saying, “Hack me, I’m easy!” But hey, at least they’re consistent—nothing brings the global cybersecurity community together like a shared sense of impending doom, right?

Key Points:

  • A heap of trouble: Ivanti Connect Secure and Poly Secure gateways are waving a flag at hackers with a severe RCE vulnerability.
  • Shodan and Shadowserver’s game of ‘Hide and Seek’: They’ve spotted up to 29,000 internet-exposed instances that are potential cyber piñatas waiting to be whacked.
  • American Pie… and Japanese sushi, and British tea: The vulnerability is an international buffet with thousands of instances exposed worldwide.
  • The sequel no one asked for: This isn’t Ivanti’s first rodeo with vulnerabilities, as they’ve previously been the gateway to some state-sponsored shenanigans.
  • The procrastinator’s guide to cybersecurity: System admins who haven’t updated their systems are strongly encouraged to quit playing Candy Crush and patch things up.
Cve id: CVE-2024-22024
Cve state: PUBLISHED
Cve assigner short name: hackerone
Cve date updated: 02/13/2024
Cve description: An XML external entity or XXE vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x) and ZTA gateways which allows an attacker to access certain restricted resources without authentication.

Cve id: CVE-2023-46805
Cve state: PUBLISHED
Cve assigner short name: hackerone
Cve date updated: 01/12/2024
Cve description: An authentication bypass vulnerability in the web component of Ivanti ICS 9.x, 22.x and Ivanti Policy Secure allows a remote attacker to access restricted resources by bypassing control checks.

Cve id: CVE-2024-21893
Cve state: PUBLISHED
Cve assigner short name: hackerone
Cve date updated: 01/31/2024
Cve description: A server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons for ZTA allows an attacker to access certain restricted resources without authentication.

Cve id: CVE-2024-21887
Cve state: PUBLISHED
Cve assigner short name: hackerone
Cve date updated: 01/12/2024
Cve description: A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.

Cve id: CVE-2024-21894
Cve state: PUBLISHED
Cve assigner short name: hackerone
Cve date updated: 04/04/2024
Cve description: A heap overflow vulnerability in IPSec component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an unauthenticated malicious user to send specially crafted requests in-order-to crash the service thereby causing a DoS attack. In certain conditions this may lead to execution of arbitrary code

Need to know more?

The Overflowing Heap of Trouble

Calling all sysadmins: it's time to don your capes because the Ivanti universe is under siege once again. The villain this time is a high-severity heap overflow, which sounds like a terrible plumbing issue but is actually way worse. This little bugger is allowing even the noobiest of hackers to potentially cause chaos with the simplicity of a special request—like asking for extra sprinkles and getting the keys to the castle instead.

Global Exposure: The Not-So-Exclusive Club

Looking at the global exposure stats, it's like a leaderboard of vulnerability, with the USA taking the gold. But don't worry, other countries are also in the running, making this a truly international cybersecurity Olympics. And just like any sport, the winners here are not the ones with the most points. It's a race where you really, really want to come in last—or, better yet, not compete at all.

Deja Vu All Over Again

If you're getting a sense of déjà vu, it's because this isn't the first time Ivanti has made headlines for security vulnerabilities. Earlier this year, it was like a hacker's Christmas, with various Ivanti products being the gifts that kept on giving. State-sponsored actors had a field day with zero-days, while Ivanti was probably wishing it could turn back time and un-invent those bugs.

The Mandiant Exposé

For those who love a deep dive into cyber espionage, Mandiant's latest report reads better than a spy thriller. It's got everything: Chinese hackers, five distinct activity clusters, and a malware named 'SPAWN' that's as ominous as it sounds. The report's like the cybersecurity version of a true crime podcast, and you can almost hear the dramatic background music as you read it.

Procrastination Nation

For the sysadmins out there who have been taking a "mañana" approach to applying updates, consider this your wake-up call. The vendor's knowledge base article isn't just for light reading—it's the guide to fortifying your digital fortress. Ignore it, and you might as well hang a "Gone Phishing" sign on your network. So, go ahead, swap that game of solitaire for some patching action, and maybe, just maybe, you'll avoid becoming the next cautionary tale in the cyber world.

Tags: CVE-2024-21894, Global exposure, Heap Overflow, Ivanti Connect Secure, RCE Vulnerability, SPAWN malware, state-sponsored hacking